Install tool¶

Introduction¶

A TYPO3 backend account is not required in order to access the Install Tool, so it is clear that the Install Tool requires some special attention (and protection).

TYPO3 comes with a two-step mechanism out-of-the-box to protect the Install Tool against unauthorized access:

1. The ENABLE_INSTALL_TOOL file must exist in order for the Install Tool to be accessible.
2. An Install Tool password is required. This password is independent of all backend user passwords.

The Install Tool can be found as a stand-alone application via https://example.org/typo3/install.php. It is also accessible in the backend, but only for logged-in users with administrator and maintainer privileges.

The ENABLE_INSTALL_TOOL file¶

The ENABLE_INSTALL_TOOL file can be created by placing an empty file in one of the following file paths:

You usually need write access to this directory on the server level (for example, via SSH, SFTP, etc.) or you can create this file as a backend user with administrator privileges.

Conversely, this also means, you should delete this file as soon as you do not need to access the Install Tool any more. TYPO3 automatically deletes the ENABLE_INSTALL_TOOL file when you log out of the Install Tool or if the file is older than 60 minutes (expiry time).

Both features can be deactivated if the content of this file is KEEP_FILE. This is strongly discouraged.

The Install Tool password¶

The password for accessing the Install Tool is stored using the configured password hash mechanism set for the backend in the global configuration file config/system/settings.php:

<?php
return [
    'BE' => [
        'installToolPassword' => '$P$CnawBtpk.D22VwoB2RsN0jCocLuQFp.',
        // ...
    ],
];

The Install Tool password is set during the installation process. This means, in the case that a system administrator hands over the TYPO3 instance to you, it should also provide you with the appropriate password.

The first thing you should do, after taking over a new TYPO3 system from a system administrator, is to change the password to a new and secure one. Log-in to the Install Tool and change it there.

Accessing the Install Tool in the backend¶

The System Maintainer role allows for selected backend users to access the Admin Tools components from within the backend without further security measures.

The number of system maintainers should be as low as possible to mitigate the risks of corrupted accounts.

Users can be assigned the role in the Settings section of Install Tool -> Manage System Maintainers. It is also possible to manually modify the list by adding or removing the user's UID (be_users.uid) in config/system/settings.php:

<?php
return [
    // ...
    'SYS' => [
        'systemMaintainers' => [1, 7, 36],
        // ...
    ],
];

For additional security, the folders typo3/install and typo3/sysext/install can be deleted, or password protected on a server level (e.g. by a web server's user authentication mechanism). Please keep in mind that these measures have an impact on the usability of the system. If you are not the only person who uses the Install Tool, you should discuss the best approach with the team.

Generating the encryption key¶

The encryption key should be a random 96 characters long hexadecimal string. You can for example create it with OpenSSL:

openssl rand -hex 48 

It is possible to generate the encryption key via an API within TYPO3:

use \TYPO3\CMS\Core\Crypto\Random;
use \TYPO3\CMS\Core\Utility\GeneralUtility;

$encryptionKey = GeneralUtility::makeInstance(Random::class)->generateRandomHexString(96);